\documentclass[journal]{IEEEtran}
%
% If IEEEtran.cls has not been installed into the LaTeX system files,
% manually specify the path to it like:
% \documentclass[journal]{../sty/IEEEtran}





% Some very useful LaTeX packages include:
% (uncomment the ones you want to load)


% *** MISC UTILITY PACKAGES ***
%
%\usepackage{ifpdf}
% Heiko Oberdiek's ifpdf.sty is very useful if you need conditional
% compilation based on whether the output is pdf or dvi.
% usage:
% \ifpdf
%   % pdf code
% \else
%   % dvi code
% \fi
% The latest version of ifpdf.sty can be obtained from:
% http://www.ctan.org/tex-archive/macros/latex/contrib/oberdiek/
% Also, note that IEEEtran.cls V1.7 and later provides a builtin
% \ifCLASSINFOpdf conditional that works the same way.
% When switching from latex to pdflatex and vice-versa, the compiler may
% have to be run twice to clear warning/error messages.






% *** CITATION PACKAGES ***
%
%\usepackage{cite}
% cite.sty was written by Donald Arseneau
% V1.6 and later of IEEEtran pre-defines the format of the cite.sty package
% \cite{} output to follow that of IEEE. Loading the cite package will
% result in citation numbers being automatically sorted and properly
% "compressed/ranged". e.g., [1], [9], [2], [7], [5], [6] without using
% cite.sty will become [1], [2], [5]--[7], [9] using cite.sty. cite.sty's
% \cite will automatically add leading space, if needed. Use cite.sty's
% noadjust option (cite.sty V3.8 and later) if you want to turn this off.
% cite.sty is already installed on most LaTeX systems. Be sure and use
% version 4.0 (2003-05-27) and later if using hyperref.sty. cite.sty does
% not currently provide for hyperlinked citations.
% The latest version can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/cite/
% The documentation is contained in the cite.sty file itself.






% *** GRAPHICS RELATED PACKAGES ***
%
\ifCLASSINFOpdf
  \usepackage[pdftex]{graphicx}
  % declare the path(s) where your graphic files are
  % \graphicspath{{../pdf/}{../jpeg/}}
  % and their extensions so you won't have to specify these with
  % every instance of \includegraphics
  % \DeclareGraphicsExtensions{.pdf,.jpeg,.png}
\else
  % or other class option (dvipsone, dvipdf, if not using dvips). graphicx
  % will default to the driver specified in the system graphics.cfg if no
  % driver is specified.
  % \usepackage[dvips]{graphicx}
  % declare the path(s) where your graphic files are
  % \graphicspath{{../eps/}}
  % and their extensions so you won't have to specify these with
  % every instance of \includegraphics
  % \DeclareGraphicsExtensions{.eps}
\fi
% graphicx was written by David Carlisle and Sebastian Rahtz. It is
% required if you want graphics, photos, etc. graphicx.sty is already
% installed on most LaTeX systems. The latest version and documentation can
% be obtained at: 
% http://www.ctan.org/tex-archive/macros/latex/required/graphics/
% Another good source of documentation is "Using Imported Graphics in
% LaTeX2e" by Keith Reckdahl which can be found as epslatex.ps or
% epslatex.pdf at: http://www.ctan.org/tex-archive/info/
%
% latex, and pdflatex in dvi mode, support graphics in encapsulated
% postscript (.eps) format. pdflatex in pdf mode supports graphics
% in .pdf, .jpeg, .png and .mps (metapost) formats. Users should ensure
% that all non-photo figures use a vector format (.eps, .pdf, .mps) and
% not a bitmapped formats (.jpeg, .png). IEEE frowns on bitmapped formats
% which can result in "jaggedy"/blurry rendering of lines and letters as
% well as large increases in file sizes.
%
% You can find documentation about the pdfTeX application at:
% http://www.tug.org/applications/pdftex





% *** MATH PACKAGES ***
%
%\usepackage[cmex10]{amsmath}
% A popular package from the American Mathematical Society that provides
% many useful and powerful commands for dealing with mathematics. If using
% it, be sure to load this package with the cmex10 option to ensure that
% only type 1 fonts will utilized at all point sizes. Without this option,
% it is possible that some math symbols, particularly those within
% footnotes, will be rendered in bitmap form which will result in a
% document that can not be IEEE Xplore compliant!
%
% Also, note that the amsmath package sets \interdisplaylinepenalty to 10000
% thus preventing page breaks from occurring within multiline equations. Use:
%\interdisplaylinepenalty=2500
% after loading amsmath to restore such page breaks as IEEEtran.cls normally
% does. amsmath.sty is already installed on most LaTeX systems. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/required/amslatex/math/





% *** SPECIALIZED LIST PACKAGES ***
%
%\usepackage{algorithmic}
% algorithmic.sty was written by Peter Williams and Rogerio Brito.
% This package provides an algorithmic environment fo describing algorithms.
% You can use the algorithmic environment in-text or within a figure
% environment to provide for a floating algorithm. Do NOT use the algorithm
% floating environment provided by algorithm.sty (by the same authors) or
% algorithm2e.sty (by Christophe Fiorio) as IEEE does not use dedicated
% algorithm float types and packages that provide these will not provide
% correct IEEE style captions. The latest version and documentation of
% algorithmic.sty can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/algorithms/
% There is also a support site at:
% http://algorithms.berlios.de/index.html
% Also of interest may be the (relatively newer and more customizable)
% algorithmicx.sty package by Szasz Janos:
% http://www.ctan.org/tex-archive/macros/latex/contrib/algorithmicx/




% *** ALIGNMENT PACKAGES ***
%
%\usepackage{array}
% Frank Mittelbach's and David Carlisle's array.sty patches and improves
% the standard LaTeX2e array and tabular environments to provide better
% appearance and additional user controls. As the default LaTeX2e table
% generation code is lacking to the point of almost being broken with
% respect to the quality of the end results, all users are strongly
% advised to use an enhanced (at the very least that provided by array.sty)
% set of table tools. array.sty is already installed on most systems. The
% latest version and documentation can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/required/tools/


%\usepackage{mdwmath}
%\usepackage{mdwtab}
% Also highly recommended is Mark Wooding's extremely powerful MDW tools,
% especially mdwmath.sty and mdwtab.sty which are used to format equations
% and tables, respectively. The MDWtools set is already installed on most
% LaTeX systems. The lastest version and documentation is available at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/mdwtools/


% IEEEtran contains the IEEEeqnarray family of commands that can be used to
% generate multiline equations as well as matrices, tables, etc., of high
% quality.


%\usepackage{eqparbox}
% Also of notable interest is Scott Pakin's eqparbox package for creating
% (automatically sized) equal width boxes - aka "natural width parboxes".
% Available at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/eqparbox/





% *** SUBFIGURE PACKAGES ***
%\usepackage[tight,footnotesize]{subfigure}
% subfigure.sty was written by Steven Douglas Cochran. This package makes it
% easy to put subfigures in your figures. e.g., "Figure 1a and 1b". For IEEE
% work, it is a good idea to load it with the tight package option to reduce
% the amount of white space around the subfigures. subfigure.sty is already
% installed on most LaTeX systems. The latest version and documentation can
% be obtained at:
% http://www.ctan.org/tex-archive/obsolete/macros/latex/contrib/subfigure/
% subfigure.sty has been superceeded by subfig.sty.



%\usepackage[caption=false]{caption}
%\usepackage[font=footnotesize]{subfig}
% subfig.sty, also written by Steven Douglas Cochran, is the modern
% replacement for subfigure.sty. However, subfig.sty requires and
% automatically loads Axel Sommerfeldt's caption.sty which will override
% IEEEtran.cls handling of captions and this will result in nonIEEE style
% figure/table captions. To prevent this problem, be sure and preload
% caption.sty with its "caption=false" package option. This is will preserve
% IEEEtran.cls handing of captions. Version 1.3 (2005/06/28) and later 
% (recommended due to many improvements over 1.2) of subfig.sty supports
% the caption=false option directly:
%\usepackage[caption=false,font=footnotesize]{subfig}
%
% The latest version and documentation can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/subfig/
% The latest version and documentation of caption.sty can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/caption/




% *** FLOAT PACKAGES ***
%
%\usepackage{fixltx2e}
% fixltx2e, the successor to the earlier fix2col.sty, was written by
% Frank Mittelbach and David Carlisle. This package corrects a few problems
% in the LaTeX2e kernel, the most notable of which is that in current
% LaTeX2e releases, the ordering of single and double column floats is not
% guaranteed to be preserved. Thus, an unpatched LaTeX2e can allow a
% single column figure to be placed prior to an earlier double column
% figure. The latest version and documentation can be found at:
% http://www.ctan.org/tex-archive/macros/latex/base/



%\usepackage{stfloats}
% stfloats.sty was written by Sigitas Tolusis. This package gives LaTeX2e
% the ability to do double column floats at the bottom of the page as well
% as the top. (e.g., "\begin{figure*}[!b]" is not normally possible in
% LaTeX2e). It also provides a command:
%\fnbelowfloat
% to enable the placement of footnotes below bottom floats (the standard
% LaTeX2e kernel puts them above bottom floats). This is an invasive package
% which rewrites many portions of the LaTeX2e float routines. It may not work
% with other packages that modify the LaTeX2e float routines. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/sttools/
% Documentation is contained in the stfloats.sty comments as well as in the
% presfull.pdf file. Do not use the stfloats baselinefloat ability as IEEE
% does not allow \baselineskip to stretch. Authors submitting work to the
% IEEE should note that IEEE rarely uses double column equations and
% that authors should try to avoid such use. Do not be tempted to use the
% cuted.sty or midfloat.sty packages (also by Sigitas Tolusis) as IEEE does
% not format its papers in such ways.


%\ifCLASSOPTIONcaptionsoff
%  \usepackage[nomarkers]{endfloat}
% \let\MYoriglatexcaption\caption
% \renewcommand{\caption}[2][\relax]{\MYoriglatexcaption[#2]{#2}}
%\fi
% endfloat.sty was written by James Darrell McCauley and Jeff Goldberg.
% This package may be useful when used in conjunction with IEEEtran.cls'
% captionsoff option. Some IEEE journals/societies require that submissions
% have lists of figures/tables at the end of the paper and that
% figures/tables without any captions are placed on a page by themselves at
% the end of the document. If needed, the draftcls IEEEtran class option or
% \CLASSINPUTbaselinestretch interface can be used to increase the line
% spacing as well. Be sure and use the nomarkers option of endfloat to
% prevent endfloat from "marking" where the figures would have been placed
% in the text. The two hack lines of code above are a slight modification of
% that suggested by in the endfloat docs (section 8.3.1) to ensure that
% the full captions always appear in the list of figures/tables - even if
% the user used the short optional argument of \caption[]{}.
% IEEE papers do not typically make use of \caption[]'s optional argument,
% so this should not be an issue. A similar trick can be used to disable
% captions of packages such as subfig.sty that lack options to turn off
% the subcaptions:
% For subfig.sty:
% \let\MYorigsubfloat\subfloat
% \renewcommand{\subfloat}[2][\relax]{\MYorigsubfloat[]{#2}}
% For subfigure.sty:
% \let\MYorigsubfigure\subfigure
% \renewcommand{\subfigure}[2][\relax]{\MYorigsubfigure[]{#2}}
% However, the above trick will not work if both optional arguments of
% the \subfloat/subfig command are used. Furthermore, there needs to be a
% description of each subfigure *somewhere* and endfloat does not add
% subfigure captions to its list of figures. Thus, the best approach is to
% avoid the use of subfigure captions (many IEEE journals avoid them anyway)
% and instead reference/explain all the subfigures within the main caption.
% The latest version of endfloat.sty and its documentation can obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/endfloat/
%
% The IEEEtran \ifCLASSOPTIONcaptionsoff conditional can also be used
% later in the document, say, to conditionally put the References on a 
% page by themselves.





% *** PDF, URL AND HYPERLINK PACKAGES ***
%
\usepackage{url}
% url.sty was written by Donald Arseneau. It provides better support for
% handling and breaking URLs. url.sty is already installed on most LaTeX
% systems. The latest version can be obtained at:
% http://www.ctan.org/tex-archive/macros/latex/contrib/misc/
% Read the url.sty source comments for usage information. Basically,
% \url{my_url_here}.





% *** Do not adjust lengths that control margins, column widths, etc. ***
% *** Do not use packages that alter fonts (such as pslatex).         ***
% There should be no need to do such things with IEEEtran.cls V1.6 and later.
% (Unless specifically asked to do so by the journal or conference you plan
% to submit to, of course. )


% correct bad hyphenation here
\hyphenation{op-tical net-works semi-conduc-tor}


\begin{document}
%
% paper title
% can use linebreaks \\ within to get better formatting as desired
\title{Privacy Enhancing Application for Smart Phones}
%
%
% author names and IEEE memberships
% note positions of commas and nonbreaking spaces ( ~ ) LaTeX will not break
% a structure at a ~ so this keeps an author's name from being broken across
% two lines.
% use \thanks{} to gain access to the first footnote area
% a separate \thanks must be used for each paragraph as LaTeX2e's \thanks
% was not built to handle multiple paragraphs
%

\author{C\'edric~Remande}%Michael~Shell,~\IEEEmembership{Member,~IEEE,}
        %John~Doe,~\IEEEmembership{Fellow,~OSA,}
        %and~Jane~Doe,~\IEEEmembership{Life~Fellow,~IEEE}% <-this % stops a space
%\thanks{M. Shell is with the Department
%of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta,
%GA, 30332 USA e-mail: (see http://www.michaelshell.org/contact.html).}% <-this % stops a space
%\thanks{J. Doe and J. Doe are with Anonymous University.}% <-this % stops a space
%\thanks{Manuscript received April 19, 2005; revised January 11, 2007.}}

% note the % following the last \IEEEmembership and also \thanks - 
% these prevent an unwanted space from occurring between the last author name
% and the end of the author line. i.e., if you had this:
% 
% \author{....lastname \thanks{...} \thanks{...} }
%                     ^------------^------------^----Do not want these spaces!
%
% a space would be appended to the last name and could cause every name on that
% line to be shifted left slightly. This is one of those "LaTeX things". For
% instance, "\textbf{A} \textbf{B}" will typeset as "A B" not "AB". To get
% "AB" then you have to do: "\textbf{A}\textbf{B}"
% \thanks is no different in this regard, so shield the last } of each \thanks
% that ends a line with a % and do not let a space in before the next \thanks.
% Spaces after \IEEEmembership other than the last one are OK (and needed) as
% you are supposed to have spaces between the names. For what it is worth,
% this is a minor point as most people would not even notice if the said evil
% space somehow managed to creep in.



% The paper headers

%\markboth{Journal of Master Thesis,~Vol.~1, No.~1, August~2012}%
%{Shell \MakeLowercase{\textit{et al.}}: Bare Demo of IEEEtran.cls for Journals}

% The only time the second header will appear is for the odd numbered pages
% after the title page when using the twoside option.
% 
% *** Note that you probably will NOT want to include the author's ***
% *** name in the headers of peer review papers.                   ***
% You can use \ifCLASSOPTIONpeerreview for conditional compilation here if
% you desire.




% If you want to put a publisher's ID mark on the page you can do it like
% this:
%\IEEEpubid{0000--0000/00\$00.00~\copyright~2007 IEEE}
% Remember, if you use this you must call \IEEEpubidadjcol in the second
% column for its text to clear the IEEEpubid mark.



% use for special paper notices
%\IEEEspecialpapernotice{(Invited Paper)}




% make the title area
\maketitle


\begin{abstract}
%\boldmath
%
This article describes the results of an implementation to provide extra security for data on or shared by an Android smart phone. The OpenPGP standard will mainly provide security with an implementation using Spongy Castle on Android. Key management and distribution do not follow the proposed public key infrastructure of the OpenPGP standard. Public keys are added to the contacts of the application. The exchange of these public keys is implemented through exchange of SMS, email or files. Cloud storage, assumed not to be secure, is used to explore the possibilities of implementing a synchronization algorithm among multiple phones and sharing of files. The Java Card technology is added to improve security of the application as a result of a secure execution and storage environment.
 
 %results of an implementation of the OpenPGP standard with Spongy Castle for Android 2.2 Froyo. The second part of the implementation contains a Java Card applet to improve the security of this Android application. The goal of this application is to provide extra security for data on the smart phone or shared by the smart phone.
\end{abstract}
% IEEEtran.cls defaults to using nonbold math in the Abstract.
% This preserves the distinction between vectors and scalars. However,
% if the journal you are submitting to favors bold math in the abstract,
% then you can use LaTeX's standard command \boldmath at the very start
% of the abstract to achieve this. Many IEEE journals frown on math
% in the abstract anyway.

% Note that keywords are not normally used for peerreview papers.
\begin{IEEEkeywords}
Cryptography, OpenPGP, Smart Phone, Secure Element, Java Card, Cloud Storage, Android, Spongy Castle, Dropbox.
\end{IEEEkeywords}






% For peer review papers, you can put extra information on the cover
% page as needed:
% \ifCLASSOPTIONpeerreview
% \begin{center} \bfseries EDICS Category: 3-BBND \end{center}
% \fi
%
% For peerreview papers, this IEEEtran command inserts a page break and
% creates the second title. It will be ignored for other modes.
\IEEEpeerreviewmaketitle



\section{Introduction}
% The very first letter is a 2 line initial drop letter followed
% by the rest of the first word in caps.
% 
% form to use if the first word consists of a single letter:
% \IEEEPARstart{A}{demo} file is ....
% 
% form to use if you need the single drop letter followed by
% normal text (unknown if ever used by IEEE):
% \IEEEPARstart{A}{}demo file is ....
% 
% Some journals put the first two words in caps:
% \IEEEPARstart{T}{his demo} file is ....
% 
% Here we have the typical use of a "T" for an initial drop letter
% and "HIS" in caps to complete the first word.
% You must have at least 2 lines in the paragraph with the drop letter
% (should never be an issue)
\IEEEPARstart{T}{he} wide-spread use of mobile devices in current 
society has made it possible for users to store and share 
information.
In this way, mobile users can perform several tasks and share information in multiple ways through e-mail, social networks, voice communication and blogs. However, current applications assume that users trust the device or the application providers who control the access to their data. This might not always be the case, which leaves mobile device users vulnerable to data privacy leaks. 

The goal is to implement an Android~\cite{android} application that, by using the cryptographic standard OpenPGP~\cite{openpgp}, is able to protect content stored on the mobile device, the data leaving the mobile device and the data shared on the internet. To achieve this, a key management infrastructure, making use of a secure element in the mobile phone and the mobile contacts list has to be developed. These contacts will contain the public keys of the user. Assuming the security of the cloud storage provider cannot be trusted, cloud storage should be used to create synchronization of these contacts among multiple devices.

Similar applications~\cite{apg} that were released require the user to have an advanced knowledge of cryptography. This created a new objective to reach an as broad as possible target audience. The user should not be required to have an extensive cryptographic knowledge. The user interface was created with this in mind and tried to achieve security with a few steps.

The final application has become an open source project, available at~\cite{forap} and~\cite{forapapplet}.

%\hfill mds
 
%\hfill August 23, 2012

%\section{Objective}
%The objective is to secure communication using the OpenPGP standard. The PKI consists of a contacts list with corresponding public keys. This list should be synchronized between multiple devices through the use of Dropbox as cloud storage. Key exchange will be achieved through sending the public key in an SMS message made
%Full integration of SMS and email for sending encrypted messages and automatically detecting and decrypting a incoming encrypted message. 
\section{Architecture}

The architecture used in the implementation consists of the smart phone, the cloud storage and the secure element.

As smart phone, Android is used because of its open design for developers. The application will use the Android API (Application Programming Interface)~\cite{androidapi} to provide a user interface, contacts shared between applications,... As default Android contains old implementations of cryptographic functions. Spongy Castle~\cite{spongy} will be used to solve this problem.%is well documented and supports it with good examples. 



Dropbox~\cite{dropbox} is used for cloud storage. Dropbox offers an easy to use API~\cite{dropboxapi} that, once included in the Android application, provides functions to download, upload, share,... %offers features such as sharing, synchronization,...


The Java Card~\cite{javacard}, used as secure element, will be provide a secure environment. It provides cryptographic co-processors for secure execution of basic cryptographic algorithms such as AES~\cite{aes}, RSA~\cite{rsa78} and so on. Secure storage is also present and will be used for sensitive data. SEEK for Android~\cite{seek} proposes a solution for communication between a smart phone and a Java Card.

The developed application will combine these different components to enable target features.

%The application consists of an interaction between a smart phone, cloud storage and a SE (Secure Element). Each of architectures consists of 

%The smart phone will contain an android application. It can further divided in basic blocks.

\section{Android}
Android was used as mobile device platform for development. It offers developers an open-source environment. Applications are written in Java~cite{java} and the Android API is well documented and has plenty examples to showcase important features that are provided.

The Android operating system was developed with the goal of providing a good security mechanism to protect the user, the applications and the system itself from one another. It is based on a multi-user Linux system. Each application is assigned a unique user-id by the Android OS. When an application is launched, it will run in its own process as that user. This provides sand boxing of different applications through process isolation. Each application can specify the permissions it needs. When the application is installed the user gets prompted to either allow or refuse the application these rights. By default an application has minimal permissions and has to specify clearly the permissions it requires. This creates a secure environment where applications cannot access resources without the proper permission~\cite{androidperm,androidsec}.

For inter-process communication Android provides intents. The Android system will process the intent, preventing direct communication between processes. Intents are used to request a component of an application and can also transfer data between processes. For example if an application requires an email functionality it does not require to implement it. It can send an intent to the Android system asking for an email application. The Android system will then open an email application and automatically fill the fields if the data were provided in the intent.

%In this way intents can create 
%The requested application does not require to be the same as the application where the intent originated from.
%Intents are asynchronous. They can transfer information between processes and 


\subsection{Spongy Castle}
\label{sec:sc}
If `strong' encryption is required in Java, one will need Bouncy Castle. This is a collection API's and a JCE security provider. By default Bouncy Castle is included in Android. The version of this Bouncy Castle is out of date and due to memory limitations only a part of its functionality has been included~\cite{oldbc}. Including the Bouncy Castle API in an application will be difficult due to class loader conflicts. Spongy Castle was created to solve this problem and offers repackage of Bouncy Castle API for Android.
%in Android and has not been updated for 5 years.
%Android contains crippled and out of data version of Bouncy Castle. Due to memory limitations only a part of the functionality was included.

When this project was started, an issue with Spongy Castle~\cite{scnopgp} was that the OpenPGP classes had not been converted yet. The employed solution was including all the OpenPGP code from the Bouncy Castle API directly into the application. The errors that occurred due to the inclusion of this code were solved by changing the import-statements to the Spongy Castle API. The developer of Spongy Castle solved this issue four months ago.%has been solved four months ago.
%due to it not being included 

\subsection{Public Key Management}

Contact persons created by the application require a public key to be attached to them and can therefore also be seen as the user's public keyring. They will be saved in the global contacts database of Android, the contacts provider~\cite{contactsprovider}. A content resolver must be used to insert or edit contacts or to remove them from this contacts provider. An advantage of using the contacts provider is that contact's information is shared among applications. Another advantage is that these contacts are also visible in the global contact list. 

The first time the application is used, the user is required to create an account with user name and password. While logging in, not only the account is created on the device but also key pairs, for encryption and signing, are generated with the given credentials. This account authentication was accomplished with an authentication framework provided by Android API~\cite{auth,acc}. This account is necessary in the management and synchronization of contacts.

When an application inserts a contact with the content resolver in the contacts provider, it is considered a raw contact.  This raw contact represents a person's data coming from a single account. In doing so the developed application will add a raw contact with a given name, email, phone and public key to the contacts provider. The contacts provider will aggregate raw contacts into one contact based on name, email,... The user only perceives these contacts that are composed of one or multiple aggregated raw contacts. %consisting of one or multiple raw contacts.

 %To prevent repetition of similar contacts present in different application, similar contacts will be automatically aggregated. The user will see these aggregated contacts as one in their contacts list.

% supports account management and uses it in the creation of contacts as mentioned before. %proposed by the Android API. The user name and password used to login, are also used to generate the key pair with Spongy Castle for the user. Contacts created by the application and require a public key to be attached to them.  The implementation for these contacts followed the synchronization structure proposed by Android. An additional advantage of using this structure is that contact information is shared between applications through the contacts database of the device itself.

The Android system also offers a synchronization framework as implementation of a sync adapter~\cite{sync}. Once implemented, the synchronization service will be activated by the Android's content resolver when it detects a change in the contacts provider concerning contacts belonging to a specific account. As mentioned before each raw contact belongs to an account and automatic synchronization of the account's contacts can be achieved this way. The implemented application will use this framework to synchronize the contacts with the user's Dropbox.%This structure contains a synchronization service that will be activated by the Android's content resolver when it detects a change in the contacts content provider with the application's authority. Using the contacts database of the android device prevents the need for creation of an own contacts database. . Once implemented the content resolver will call the synchronization method of the implemented subclass of AbstractThreadedSyncAdapter.

Using the contacts provider to access this contacts database is complex. Once mastered it has impressive features such as the deletion of a synchronized contact. When the delete method is called on the content resolver an option can be given to inform if this deletion is part of the synchronization process or not. A locally deleted contact will not be deleted completely but will be marked for deletion. In the synchronization method the contact that was marked for deletion will be passed to the server for proper handling after which the synchronization service can call this deletion method again with the proper option for complete deletion of this contact.
%and difficult to understand when starting development for Android % Then the synchronization service will be started because the content provider detected a change. 

An application with permission to access the contacts provider can read, alter and even delete the information of a contact that is not theirs. To prevent malicious applications altering public keys on the mobile device, a private database was added to perform integrity checks. These integrity checks are done by calculating and comparing a digest of the name, email address, application id and public key each time a public key is used. If tampering is detected, the user is warned and the key is deleted.


\subsection{User Interface}

Currently only a few applications use the same architectural strategy to achieve security on Android with Spongy Castle. A list of known applications using Spongy Castle, contains only one application, APG, that has roughly the same basic goals,~\cite{apg}. APG offers an implementation using the OpenPGP standard. When inspecting the code, one can see that Bouncy Castle has been used. The claim they use Spongy Castle probably arose from future plans to use it. The project has not been updated since late 2010.

This application requires the user to have an advanced knowledge of cryptography. The objective of our application was to reach the broadest possible target audience. The user interface has been created with this in mind and tries to achieve security with as few steps as possible. To achieve better user experience, basic communication methods such as SMS and email should be fully integrated in the application. This will avoid going through a lengthy import or export procedure between the communication applications. In the implemented application SMS integration and email integration are realized as described in the following paragraphs.

%Full SMS and email integration should be implemented to encrypt and/or sign SMS and email messages. On receiving an encrypted SMS or email, the application should automatically alert the user and show the plaintext and/or signature verification on request.

Android provides a protected API for SMS messages. The Android API offers the possibility to send an SMS with or without opening the SMS application. After receiving an SMS, the Android system will sent out a broadcast to all applications. The developed application has a broadcast receiver that will react when such a broadcast is detected. The content of the SMS can then be read and processed if needed. The developed application provides full SMS integration for exchange of encrypted messages or public keys. For example, the user can send an encrypted message in an SMS. When receiving this SMS, the broadcast receiver will automatically detect and notify the user of this encrypted message with a notification in the status bar of the Android mobile. If the user clicks this notification the clear text and/or signature verification will be presented.
% Receiving an SMS can be detected and automatically read with a broadcast receiver. Alteration of messages in the SMS database is not possible through the API.

Email integration is not present in the current API. Only sending an email can be partially automated as follows. An intent must be created with a send request of the type `message/rfc822'. The Android OS will handle this intent and open all applications that can process this request. The user will be prompted to choose from a list if multiple applications can handle the request. In this way an email to send an encrypted file can be created in the application. The Android API generates no broadcast if an email is received. This makes automatic processing of an email with an encrypted message impossible. The only solution would be that the email application provides an interface for this information and makes a broadcast when an email is received.
%user will be prompted a list to choose from

\section{Dropbox}
Dropbox offers a free and easy to use API available for developers. This API provides features such as downloading, uploading, sharing and many more. When installing an application using Dropbox API, the user will be asked if this application is allowed to use his Dropbox storage space. Once accepted a folder will be created in the Dropbox storage of the user. The application has access to this folder only. Multiple users will never share the same storage space for these data. On the other hand, cloud computing is unable to execute any logic. A synchronization algorithm for example will be executed locally.% When an application integrates this Dropbox API it will require the user to allow the application to communicate with the user's Dropbox. In the user's Dropbox a folder will be made and the application only has full control over this folder.
%Once accepted a folder will be created in the `App' folder of the user. The application only has access to this folder. 
%Each user will expose a segment of his storage space to the application. 

Dropbox provides a vague description of the communication security through the protocols SSL and AES-256 on their website. Assuming the security system, using these protocols, can be flawed, the developed application provides its own security. The code of the developed application~\cite{forap} is open source and can be reviewed by peers. 

The Dropbox integration gives opportunities for multiple features. A first feature is synchronization of contacts with their corresponding public keys. As mentioned in the previous part, the developed application has implemented synchronization of contacts. These data will be sent to the user's Dropbox storage space and the security is achieved through the use of OpenPGP, with the user's public key. This way we ensure confidentiality and integrity of these data. The availability of these data is not under our control. % for data A server must be implemented.For this feature we have started a service on the Android system. This service will
%This is securely achieved through the use of OpenPGP with the public key of the user. This way we ensure confidentiality and integrity of this data. Availability is not under our control.

A second feature addresses the exchange problem of a key or encrypted message. A public key or encrypted message can be too large to send directly as one SMS, resulting in sending many SMS messages. Not only is this confusing for the user but it can also be costly. In the implemented application the public key or encrypted message will first be saved on Dropbox. Then a link will be requested and an SMS containing this link will be sent.% before sending a link to this uploaded file within an SMS message is a better solution. 
%to send a public key or encrypted file can 
%An integrity check is added to the SMS when sending a public key this link for integrity verification. The encrypted files already contain integrity information and do not require this extra check.

The last feature implemented using Dropbox is the exchange of the secret key. This is necessary to allow a single user, the use of multiple mobile devices or switching to a new device. As mentioned before when a user opens the application for the first time a login screen appears. Besides the possibility of creating a new account, it is also possible for him to synchronize with an existing account. The developed application implements an authenticated-encryption scheme OCB~\cite{ocb,rogaway} (Offset Code Book) to ensure secure storage of the private key. This scheme will ensure confidentiality and integrity of encrypted private key. It will be encrypted with OCB-AES-256 before it is uploaded to Dropbox. The password of the user's account is used in PBKDF2~\cite{pbkdf} (Password-Based Key Derivation Function 2) in order to create a key for OCB-AES-256.



%Availability is a important factor to commercialize an application. If the target is bussiness users this should be changed to a storage provider which ensures availability through contracts.

%problem of contactfile(misschien niet hier)

%.AVAILABILTY is very important


\section{Java Card}

Java Card is used as mobile secure element. Secure elements can either be embedded into the phone, stored inside a microSD card or be present on a SIM Card. The used Java Card has version 2.2.2 and is present on a removable microSD card. 

The Java Card technology enables smart cards with limited memory to run small applications. These are called applets and are developed using a very limited subset of the Java language. The Java Card technology was designed following some key concepts. It supports interoperability, so the same applet can run on any Java Card technology-enabled smart card, independent of underlying hardware. Multiple applets can coexist securely on a single smart card. The Java Card Runtime Environment ensures this secure coexistence with an applet firewall. Throughout the life of a smart card new applets can be installed, updated or removed~\cite{jctechover,jctechintro}.

The main concept of a Java Card is improved security against known software and hardware attacks. The Java Card contains secure memory for storing keys or other critical data. Cryptographic co-processors are present and allow secure usage of cryptographic functions in applications. An access controller is present to restrict communication between applications on the mobile device and the Java Card~\cite{mech2}. Protection against hardware attacks such as power analysis is also present.

SEEK for Android~\cite{seek} proposes a solution for communication between a smart phone and a Java Card. The MSC (Mobile Security Card) smart card service~\cite{seekmsc} is used in the developed application and does not require flashing of the phone to have root access. It requires installation of some packages on the Android system and adding the SmartCard API~\cite{seekscapi} to the application. This SmartCard API also offers protection against software attacks such as malicious applications on the Android system trying to directly access lower layer components~\cite{mech1}.

%In the realized application Android OS is used with a Java Card 2.2.2 on a removable microSD card. The Seek for Android project explains how to configure the Android OS for Java Card integration. The solution chosen for the implementation is the library openmobileapi.jar. Other solutions require rooting of the mobile device what isn't possible with our chosen target demographic. This library must be installed on the Android OS prior to the installation of the application itself.It has

%The Java Card has a very limited subset of the Java Virtual Machine. 
%apdu



%impl


The goal is removing the cryptographic workload of the Android device on to the Java Card. Solving this problem by implementing all facets of OpenPGP on the Java Card is not possible due to memory limitations. An applet should be as small as possible and utilize the predefined functions of the API as much as possible. If the applet gets too complex or requires too much memory, the performance will decrease drastically. 

Not only the generation of the session key and key pairs must be transferred to the Java Card but also the used cryptographic algorithms. As mentioned in section~\ref{sec:sc}, the code of the OpenPGP library from Bouncy Castle was directly imported into the code of the developed application. Through analysis of this code we have found two points where the work flow can be split and brought back together. These points redirect, if the Java Card is present, the data for the two basic cryptographic algorithms in OpenPGP to the Java Card.

\begin{figure}[!t]
\centering
\includegraphics[width=2.5in]{implementatieJava.jpg}
% where an .eps filename suffix will be assumed under latex, 
% and a .pdf suffix will be assumed for pdflatex; or what has been declared
% via \DeclareGraphicsExtensions.
\caption{Communication between application and applet}
\label{fig:app}
\end{figure}

The first point of redirection is the creation of session data. The applet will be given a public key for asymmetric encryption. A freshly generated session key is surrounded by a symmetric algorithm identifier and checksum. This identifier and checksum are added as defined in the OpenPGP standard~\cite{rfc4880}. Then this encapsulated session key is encrypted with the asymmetric algorithm using the given public key. Once this is done the encrypted session data are given back to Spongy Castle for further processing. For decryption, the session data will be given to the card which can decrypt it with the present secret key. After checking the checksum and removing the algorithm number the remaining bytes can be used as the session key for the decryption process.  Not only must the asymmetric encryption and decryption be executed on the Java Card but also the adding and removing of the surrounding bytes must be present on the Java Card due to the fact that the session must never leave the card.

 %This was accomplished with a simple condition in one class of the OpenPGP library.
 
The second point of redirection is the symmetric encryption of the message itself. In the OpenPGP library the class CipherOutputStream is used for symmetric encryption and CipherInputStream for symmetric decryption. Using inheritance these classes were extended to send the bytes to the Java Card if present. OpenPGP uses CFB (Cipher Feedback) mode for the symmetric block cipher while the Java Card API only supports ECB (Electronic Code Book) and CBC (Cyclic Block Chainig) mode. The CFB mode is implemented, as defined in the OpenPGP standard, using the ECB mode. Once the CFB mode is present on the Java Card the message can be sent from the application to the Java Card and encrypted using the generated session key.



%is not present in the Java Card API and
Other operations such as compression of the data before they are encrypted and the encapsulation of the encrypted message are still present on the mobile phone. The transfer of these operations adds no improvement to the security and deteriorates the performance of the applet. %CHECKSUM MAYBE USE JC  u can use integrity packet MessageDigest Stream can be adapted in the same way CipherStream


The result is a transfer of the symmetric and asymmetric cryptography to the Java Card. Figure~\ref{fig:app} shows the steps of communication. In the first step a public key is sent. The applet responds after generating a session key with the encrypted session data. The last two steps can be repeated and will contain the plaintext going to the applet and ciphertext returning from the applet. The implementation followed the standard defined in OpenPGP to ensure compatible communication between mobile devices with or without this Java Card. 

The performance of encryption and decryption is slower than on the phone. A few steps were taken to improve performance. In the first step temporary values in the applet were changed to use the proper declarations for storage into the fast and volatile RAM (Random-Access memory) memory instead of the slow and non-volatile EEPROM (Electrically Erasable Programmable Read-Only Memory)~\cite{jccrypto}. A second step was the result of reducing the amount of APDU's (Application Protocol Data Unit) sent between the application and the applet. These APDU's are communication packets and have a maximum of 256 bytes data. Observation of these APDU's showed that they sometimes contained very little data. In this second step a buffer was made to generate communication packet only if there are enough data present. These steps reduce the execution time approximatively by half. These first steps are taken to improve performance. Further research and development can continue to improve the execution time.

\section{Results}

Cryptography on Android is achieved with Spongy Castle. The current implementation has fixed algorithm choices; CFB-AES-256 for symmetric encryption and RSA with a 2048 bit key for asymmetric encryption and digital signatures. The implementation adds support for OCB mode of operation. This is necessary to support the synchronization of the private key on Dropbox. Any readable file of the Android system or typed text message can be used for encryption. The input buffer still needs some optimizing to prevent problems when reading large files.%OpenPGP standard was implemented with fixed algorithms. For encryption, decryption, signature creation and signature verification RSA, with 2048 bit keys, and AES-256 in CFB mode are used. 

The application has a login screen on which the user can create an account. All contacts created, edited or deleted by the user, belong to that account. The synchronization of these account's contacts is automatically launched after a change is detected. In this synchronization procedure the contacts are saved as a file on the user's Dropbox. To ensure security of this file, OpenPGP is used to encrypt these data with the user's public key. 

A contact of the implemented application will have a corresponding secret key. Due to the fact that the contacts provider is used to save the contacts of the implemented application, the contact information will be shared between applications. A disadvantage is that applications with the permissions to write to this contacts provider, can also change contact information of other applications. To prevent public key tampering, a private database was added with message digests of contacts to perform integrity checks.

Full SMS integration is achieved. Sending an encrypted message directly from the application is possible. Automatically detecting a received encrypted message and decrypting it after the user clicks on the notification is present. Full email integration is impossible with the current Android API. Only sending of an email message is possible with the use of an intent. The application can also react to share actions and opened files that are encrypted or contain a public key. 


The Java Card can generate a 256 bit session key. Before asymmetric encryption the session key will be encapsulated as described by the OpenPGP. For asymmetric encryption RSA is used with a 2048 bit key. The implementation contains a structure to import a key of sizes bigger than 256 bytes.  CFB-AES-256 is used for the symmetric encryption. The implementation provides compatibility between users with and without a Java Card, because encapsulation of the session key and the CFB mode was implemented as described in the OpenPGP standard.
%Once the is encapsulated session key is encrypted, it is returned to the Android application.


%Contacts are automatically synchronized through dropbox on multiple devices or can be restored on a device if the data was lost. It supports manipulations of new and existing contacts. The contacts of the application are visible in the standard contacts app of the Android device.



% needed in second column of first page if using \IEEEpubid
%\IEEEpubidadjcol

\section{Conclusion}

%This is the best and first yes you heard right its the first and best app in the worldif you want pgp. WHy would u say? well let me tell u
The Android application provides security through a widely used and known OpenPGP standard. This standard was implemented using Spongy Castle and circumvents the problems of using the default Bouncy Castle containing out-of-date cryptographic implementations. Assuming the security system provided by Dropbox is not to be trusted, storing and sharing is achieved in a secure way using the realized cryptography. 
% Following this standard can make this application compatible with other 

Android provides security through a permission mechanism. This security can be circumvented if an application or user has root access. Java Card technology solves this problem because it provides secure storage space for sensitive data. The session key and private key of the OpenPGP standard should never leave this secure memory. Not only does the Java Card technology offer a solution to Android's storage problem but it also provides a secure execution environment. The security of any application using cryptographic functions can greatly increase its resistance to known software and hardware attacks using the Java Card technology.  

In the future each smart phone should be equipped with a built in Java Card or provide support for a second microSD slot. By default the Android API should also offer functionalities to communicate with such secure smart cards. This is also the goal of The SEEK for Android project.

As mentioned, the performance of the applet is very slow compared to execution on the Android device. A few steps have been taken to improve execution time but has not yielded a decent solution. Further research and development is still required to improve this performance.



%Security  wimproved because 
%Java Card technology can be used to improve security of OpenPGP packets. The newest version of Java Card 3.0.4 still doesnt support CFB. This could heavily impact performance
%Java Card technology increases the security against hardware and software attacks. OpenPGP encryption and decryption are implemented in the applet on the Java Card.

%Possibilities to improve security with Java Card technology is the final objective. This project is open source and can be found at REFS
%Java Card should be standard through extra sd slot or embedded -> security

%Commericialisation through beter availabilty -> SLA -> free app(target personal use) + paying app replaces dropbox with trusted storage provider with good SLA this package not opne source and priced -> target bussiness with contractual responsabilty...											

%\subsubsection{Subsubsection Heading Here}
%Subsubsection text here.


% An example of a floating figure using the graphicx package.
% Note that \label must occur AFTER (or within) \caption.
% For figures, \caption should occur after the \includegraphics.
% Note that IEEEtran v1.7 and later has special internal code that
% is designed to preserve the operation of \label within \caption
% even when the captionsoff option is in effect. However, because
% of issues like this, it may be the safest practice to put all your
% \label just after \caption rather than within \caption{}.
%
% Reminder: the "draftcls" or "draftclsnofoot", not "draft", class
% option should be used if it is desired that the figures are to be
% displayed while in draft mode.
%

% Note that IEEE typically puts floats only at the top, even when this
% results in a large percentage of a column being occupied by floats.


% An example of a double column floating figure using two subfigures.
% (The subfig.sty package must be loaded for this to work.)
% The subfigure \label commands are set within each subfloat command, the
% \label for the overall figure must come after \caption.
% \hfil must be used as a separator to get equal spacing.
% The subfigure.sty package works much the same way, except \subfigure is
% used instead of \subfloat.
%
%\begin{figure*}[!t]
%\centerline{\subfloat[Case I]\includegraphics[width=2.5in]{subfigcase1}%
%\label{fig_first_case}}
%\hfil
%\subfloat[Case II]{\includegraphics[width=2.5in]{subfigcase2}%
%\label{fig_second_case}}}
%\caption{Simulation results}
%\label{fig_sim}
%\end{figure*}
%
% Note that often IEEE papers with subfigures do not employ subfigure
% captions (using the optional argument to \subfloat), but instead will
% reference/describe all of them (a), (b), etc., within the main caption.


% An example of a floating table. Note that, for IEEE style tables, the 
% \caption command should come BEFORE the table. Table text will default to
% \footnotesize as IEEE normally uses this smaller font for tables.
% The \label must come after \caption as always.
%
%\begin{table}[!t]
%% increase table row spacing, adjust to taste
%\renewcommand{\arraystretch}{1.3}
% if using array.sty, it might be a good idea to tweak the value of
% \extrarowheight as needed to properly center the text within the cells
%\caption{An Example of a Table}
%\label{table_example}
%\centering
%% Some packages, such as MDW tools, offer better commands for making tables
%% than the plain LaTeX2e tabular which is used here.
%\begin{tabular}{|c||c|}
%\hline
%One & Two\\
%\hline
%Three & Four\\
%\hline
%\end{tabular}
%\end{table}


% Note that IEEE does not put floats in the very first column - or typically
% anywhere on the first page for that matter. Also, in-text middle ("here")
% positioning is not used. Most IEEE journals use top floats exclusively.
% Note that, LaTeX2e, unlike IEEE journals, places footnotes above bottom
% floats. This can be corrected via the \fnbelowfloat command of the
% stfloats package.



%\section{Conclusion}
%The conclusion goes here.





% if have a single appendix:
%\appendix[Proof of the Zonklar Equations]
% or
%\appendix  % for no appendix heading
% do not use \section anymore after \appendix, only \section*
% is possibly needed

% use appendices with more than one appendix
% then use \section to start each appendix
% you must declare a \section before using any
% \subsection or using \label (\appendices by itself
% starts a section numbered zero.)
%


%\appendices
%\section{Proof of the First Zonklar Equation}
%Appendix one text goes here.

% you can choose not to have a title for an appendix
% if you want by leaving the argument blank
%\section{}
%Appendix two text goes here.


% use section* for acknowledgement
%\section*{Acknowledgment}


%The authors would like to thank...


% Can use something like this to put references on a page
% by themselves when using endfloat and the captionsoff option.
%\ifCLASSOPTIONcaptionsoff
%  \newpage
%\fi



% trigger a \newpage just before the given reference
% number - used to balance the columns on the last page
% adjust value as needed - may need to be readjusted if
% the document is modified later
%\IEEEtriggeratref{8}
% The "triggered" command can be changed if desired:
%\IEEEtriggercmd{\enlargethispage{-5in}}

% references section

% can use a bibliography generated by BibTeX as a .bbl file
% BibTeX documentation can be easily obtained at:
% http://www.ctan.org/tex-archive/biblio/bibtex/contrib/doc/
% The IEEEtran BibTeX style support page is at:
% http://www.michaelshell.org/tex/ieeetran/bibtex/
%\bibliographystyle{IEEEtran}
\bibliographystyle{IEEEtran}
%\bibliography{cite}
% argument is your BibTeX string definitions and bibliography database(s)
%\bibliography{IEEEabrv,../bib/paper}
\bibliography{referentiesArticle}

% <OR> manually copy in the resultant .bbl file
% set second argument of \begin to the number of references
% (used to reserve space for the reference number labels box)


%\begin{thebibliography}{1}
%
%\bibitem{IEEEhowto:kopka}
%H.~Kopka and P.~W. Daly, \emph{A Guide to \LaTeX}, 3rd~ed.\hskip 1em plus
%  0.5em minus 0.4em\relax Harlow, England: Addison-Wesley, 1999.
%  
%
%
%\end{thebibliography}

% biography section
% 
% If you have an EPS/PDF photo (graphicx package needed) extra braces are
% needed around the contents of the optional argument to biography to prevent
% the LaTeX parser from getting confused when it sees the complicated
% \includegraphics command within an optional argument. (You could create
% your own custom macro containing the \includegraphics command to make things
% simpler here.)
%\begin{biography}[{\includegraphics[width=1in,height=1.25in,clip,keepaspectratio]{mshell}}]{Michael Shell}
% or if you just want to reserve a space for a photo:

%\begin{IEEEbiography}{Michael Shell}
%Biography text here.
%\end{IEEEbiography}

% if you will not have a photo at all:
%\begin{IEEEbiographynophoto}{John Doe}
%Biography text here.
%\end{IEEEbiographynophoto}

% insert where needed to balance the two columns on the last page with
% biographies
%\newpage

%\begin{IEEEbiographynophoto}{Jane Doe}
%Biography text here.
%\end{IEEEbiographynophoto}

% You can push biographies down or up by placing
% a \vfill before or after them. The appropriate
% use of \vfill depends on what kind of text is
% on the last page and whether or not the columns
% are being equalized.

%\vfill

% Can be used to pull up biographies so that the bottom of the last one
% is flush with the other column.
%\enlargethispage{-5in}



% that's all folks
\end{document}

